A busy week at the RSA Conference for the FAIR Institute. Tuesday at the SC Awards ceremony, the FAIR Institute received the extraordinary honor of being named one of the Most Important Industry Organizations of the Last 30 Years. Wednesday morning, the annual FAIR Institute Breakfast featured a panel discussion by expert FAIR practitioners from Highmark Health, ADP, TIAA and Fannie Mae. And Wednesday afternoon, Jack Jones, FAIR Institute Chairman and creator of Factor Analysis of Information Risk (FAIR), spoke at the conference on risk appetite—see a summary in Dan Raywood’s article for Infosecurity Magazine How to Get and Maintain Your Risk Appetite.
As Dan reports, Jack said that risk appetite is a moving target but one that’s still very useful for focusing risk management efforts, communicating with stakeholders and reducing the likelihood of unacceptable loss.
See the video of Jack’s talk on risk appetite at RSAC19 (registration required)
A risk appetite definition starts with defining a loss event scenario, for instance, a system outage or security policy non-compliance.
Next step is to “draw a line in the sand” – for instance, at losing no more than one million customer records in a cyber loss event.
That leads to some action steps such as for “assets with one million records, find them in privileged systems that are internet-facing and those with no more than one exploitable condition (such as SQL or weak passwords) and review every three years.”
“Simply being explicit on lines can have a huge effect on objectives,” Jack counseled.